Feds Developing Cloud Security Program - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:19 PM
Connect Directly

Feds Developing Cloud Security Program

Proposed FedRAMP effort would make it easier for federal agencies to overcome compliance hurdles and participate in the Obama administration's drive toward the cloud.

In an move that could accelerate the federal government's shift toward cloud computing, an inter-agency working group is developing a unified, government-wide risk management program that should greatly decrease the amount of security work agencies need to do to get up and running on cloud services.

Security has been one of the major barriers to the government's adoption of cloud computing, and the proposed new effort, currently called the Federal Risk and Authorizatation Management Program Pilot, or FedRAMP, would allow agencies that sign up for a new, centralized approach to solving thorny security problems like certification and accreditation.

If implemented, FedRAMP will develop common security requirements for specific types of systems, provide ongoing risk assessments and continuous monitoring, and carry out government-wide security authorizations that will be posted on a public Web site. Agencies would also be able to see what security controls have been implemented in different products and services. This way, complicated certification and accreditation processes would only need to be carried out once per cloud service, and agencies could leverage shared security management services.

Today, each agency that wants to adopt cloud computing technology, whether it's Salesforce.com or the Department of the Interior's National Business Center, typically duplicates tests already done by other agencies to ensure the service they're signing up for meets the government's security requirements. That leads to longer-than-necessary lead times to adoption and decisions not to adopt because the certification and accreditation process can be tedious.

Additionally, agencies each have their own flavor of security policies, despite government-wide risk management framework guidelines set by the National Institute for Standards and Technology, and government-wide security efforts like the Einstein intrusion detection and prevention system, or the Trusted Internet Connections initiative. That leads to vexing complexity for vendors and inconsistencies among different agencies, even though all agencies operate on a common core of security requirements.

FedRAMP won't supplant existing agency authority and responsibility to manage information security, said Peter Mell, a senior computer scientist at NIST and vice chair of the Cloud Computing Advisory Council (the body that initially proposed FedRAMP), but it will provide agencies with a more efficient way to carry out those responsibilities.

"The benefit is that this would decrease agency workload with respect to large, outsourced systems and government-wide systems," Mell said, pointing to the possibility of lower costs and accelerated deployments as a result.

Initially, the effort would focus exclusively on public and private cloud computing technologies -- software-as-a-service, infrastructure-as-a-service, and platforms-as-a-service -- but could eventually branch out to cover traditional Web hosting and "other domains," according to Mell.

Since different agencies have different security requirements, FedRAMP's planners are working with agencies to develop baselines for specific domains that will be generally acceptable for most agencies. Agencies could then leverage the government-wide authorizations, and for any that need to do additional work themselves, most of the work will have already been done for them.

The formation of the FedRAMP project began last October in the inter-agency Cloud Computing Advisory Council's security working group, but it shares its philosophical underpinning with some of the principal ideas of federal CIO Vivek Kundra, who often speaks of the need to make it easier for the government to adopt new information technologies.

FedRAMP passed an initial test when it was approved by the Cloud Executive Steering Committee, a voting body of government CIOs, in January. Now, the Interagency Cloud Working Group -- headed by Kundra -- is determining how best to implement the process. The government is ready to move rapidly into a pilot phase upon Kundra's approval, Mell said.

FedRAMP would have a dedicated staff to do things like oversee continuous monitoring and update certifications and accreditations, but Mell says it's too early to say which agencies and government officials might take lead roles. However, NIST is playing an important role by helping to develop the "technical foundation" to make the effort possible and by coordinating between agencies to turn vision into reality.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Northwestern Mutual CIO: Riding Out the Pandemic
Jessica Davis, Senior Editor, Enterprise Apps,  10/7/2020
White Papers
Register for InformationWeek Newsletters
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll